LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 03-14-2021, 04:03 AM   #1
Linux.tar.gz
Senior Member
 
Registered: Dec 2003
Location: Paris
Distribution: Slackware forever.
Posts: 2,506

Rep: Reputation: 99
Question Slackware full disk encryption questions


Hi,

I'm fairly new to OS encryption. I'd like to achieve a full blown-up FDE.
Apart from some googling, I looked at:
https://ftp.osuosl.org/pub/slackware...ADME_CRYPT.TXT
https://ftp.osuosl.org/pub/slackware...EADME_UEFI.TXT
https://wiki.archlinux.org/index.php..._entire_system

Please correct me if I'm wrong, so far this is what I understood:
- I can't use an encrypted MBR and /boot because Slackware doesn't support Secure Boot
So this procedure is not possible:
https://wiki.archlinux.org/index.php...ncrypted_/boot

- I can use either legacy BIOS or UEFI
 
Old 03-14-2021, 04:10 AM   #2
chrisretusn
Senior Member
 
Registered: Dec 2005
Location: Philippines
Distribution: Slackware64-current
Posts: 1,919

Rep: Reputation: 802Reputation: 802Reputation: 802Reputation: 802Reputation: 802Reputation: 802Reputation: 802
Okay I'm not to knowledgeable on this subject, but grub is included with Slackware. What is stopping you from using grub?

Last edited by chrisretusn; 03-14-2021 at 09:39 AM.
 
Old 03-14-2021, 08:05 AM   #3
slac
Member
 
Registered: May 2019
Posts: 183

Rep: Reputation: Disabled
You can also encrypt your boot partition if that is what you want. But you will need to use grub instead of lilo/elilo. Also remember to encrypt your boot partition using luks1 instead of luks2 (which is the default) since grub still cannot manage grub2 (grub2.04 in current, right now). Conveniently grub2.06 is in on his way and it supposedly has support for luks2 but it is still on alpha/beta. The log for grub says that, if no big error is found, it will be released like in a month or so.

Remember that only /boot is encrypted and NOT the mbr, bios boot or efi block device (depending on which one you want to use, it does not matter, only /boot is encrypted).

Last edited by slac; 03-14-2021 at 08:19 AM.
 
1 members found this post helpful.
Old 03-14-2021, 08:58 AM   #4
jr_bob_dobbs
Member
 
Registered: Mar 2009
Distribution: Slackware,Linux From Scratch
Posts: 544
Blog Entries: 93

Rep: Reputation: 151Reputation: 151
Was going to jump in with a reply & correcting, since I've been running a LVM2 over LUKS system for a year now (Before that it was LVM over LUKS) but a question has emerged.

Are you all saying that grub somehow inside itself has the functionality of cryptsetup and the LVM utilities, so that the partitions are unlocked and activated before the kernel is started?

p.s. lilo user here. LUKS LVM2 with thin provisioning working fine.

Last edited by jr_bob_dobbs; 03-14-2021 at 09:00 AM.
 
Old 03-14-2021, 08:59 AM   #5
ricky_cardo
Member
 
Registered: Feb 2006
Location: Syracuse, NY
Distribution: Slackware64-Current
Posts: 172

Rep: Reputation: 66
I have not tried this personally but here is some info about secure boot
https://docs.slackware.com/howtos:se...ng_secure_boot
 
1 members found this post helpful.
Old 03-14-2021, 09:50 AM   #6
slac
Member
 
Registered: May 2019
Posts: 183

Rep: Reputation: Disabled
Post

Quote:
Originally Posted by jr_bob_dobbs View Post
Was going to jump in with a reply & correcting, since I've been running a LVM2 over LUKS system for a year now (Before that it was LVM over LUKS)
Did you not want to say "Before that it was luks over lvm" instead? Otherwise you said the same twice, I think.

Quote:
Originally Posted by jr_bob_dobbs View Post
but a question has emerged.

Are you all saying that grub somehow inside itself has the functionality of cryptsetup and the LVM utilities, so that the partitions are unlocked and activated before the kernel is started?
I am not quite sure but at least in grub documentation those functions are called modules. So they say something like "Add x module to grub configuration" in order to boot depending on the custom setup that it is wanted to boot up.

As for if grub is able to unlock all encrypted partitions before kernel, I do not know. But I am pretty sure that some code needs to be added to grub to be able to show the grub menu if the /boot partition is encrypted.

You can take a look at grub repository, there are commits to add support to unlock /boot encrypted with luks2: https://git.savannah.gnu.org/cgit/gr...t=grep&q=luks2
 
1 members found this post helpful.
Old 03-14-2021, 09:52 AM   #7
slac
Member
 
Registered: May 2019
Posts: 183

Rep: Reputation: Disabled
Thumbs up

Quote:
Originally Posted by ricky_cardo View Post
I have not tried this personally but here is some info about secure boot
https://docs.slackware.com/howtos:se...ng_secure_boot
Now that you have mentioned it. Just for the op: "securing" /boot encrypting it with luks is different from "Secure Boot" which is something related to UEFI. Slackware does not come with Secure Boot by default like other GNU/Linux distributions but in the quote you have been shared a link to docs to enable it. Both "Secure Boot" and encrypting /boot can be done in Slackware.
 
Old 03-14-2021, 09:59 AM   #8
slac
Member
 
Registered: May 2019
Posts: 183

Rep: Reputation: Disabled
Smile

Quote:
Originally Posted by jr_bob_dobbs View Post

p.s. lilo user here. LUKS LVM2 with thin provisioning working fine.
Yes, there are no problems to open encrypted partitions using lilo/elilo since that operation is done by the initial ram disk (initrd)/kernel (not by the boot-loader). But if /boot is encrypted grub will need to be used (luks1, at the moment; seems like luks2 as well in the future).
 
Old 03-14-2021, 10:44 AM   #9
Linux.tar.gz
Senior Member
 
Registered: Dec 2003
Location: Paris
Distribution: Slackware forever.
Posts: 2,506

Original Poster
Rep: Reputation: 99
Quote:
Originally Posted by chrisretusn View Post
Okay I'm not to knowledgeable on this subject, but grub is included with Slackware. What is stopping you from using grub?
Nothing but my lack of knowledge about encryption :-)
 
Old 03-14-2021, 12:06 PM   #10
Didier Spaier
LQ Addict
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-14.2.1.2 on Lenovo Thinkpad W520
Posts: 9,914

Rep: Reputation: Disabled
Quote:
Originally Posted by Linux.tar.gz View Post
Nothing but my lack of knowledge about encryption :-)
This an usually fixed learning. Else you can have full encryption out of the box, installing Slint. Caveat: the installer will propose you to encrypt the disk only if:
  1. You choose the Auto installation mode (not Manual)
  2. The drive where you install Slint will be dedicated to it.
Questions? irc.freenode.net, channel #slint.
 
Old 03-14-2021, 12:15 PM   #11
mralk3
Senior Member
 
Registered: May 2015
Distribution: Slackware on ARM and Aarch64
Posts: 1,573

Rep: Reputation: 891Reputation: 891Reputation: 891Reputation: 891Reputation: 891Reputation: 891Reputation: 891
Encrypting /boot is not necessary. Elilo,lilo and the kernel are all well known code bases. There is no reason to encrypt the partition that contains them because nobody cares to acquire that data. Anyone can download those from multiple places on the internet. It is already publicly available. What you are trying to protect with "Full disk encryption" is your DATA. Not the kernel, not lilo, not your master boot record. It is sufficient to follow the README_CRYPT.txt and set up an encrypted system with LUKS + LVM.
 
1 members found this post helpful.
Old 03-14-2021, 02:46 PM   #12
davjohn
Member
 
Registered: Jan 2017
Posts: 65

Rep: Reputation: Disabled
Quote:
Originally Posted by mralk3 View Post
Encrypting /boot is not necessary. Elilo,lilo and the kernel are all well known code bases. There is no reason to encrypt the partition that contains them because nobody cares to acquire that data. Anyone can download those from multiple places on the internet. It is already publicly available. What you are trying to protect with "Full disk encryption" is your DATA. Not the kernel, not lilo, not your master boot record. It is sufficient to follow the README_CRYPT.txt and set up an encrypted system with LUKS + LVM.
Well the point of encrypting /boot is that someone can replace kernel/lilo with compromised one, which can include keylogger or whatever and when you unlock partition it can get your password.
The same can actually be done with boot loader, Secure boot can help here, but secure boot can be disabled in BIOS without much trouble, so I don't know solution for this yet
Maybe some kind of checksum of boot/efi, but this is checked too late, but at least you know that something was changed.
 
1 members found this post helpful.
Old 03-14-2021, 04:17 PM   #13
mralk3
Senior Member
 
Registered: May 2015
Distribution: Slackware on ARM and Aarch64
Posts: 1,573

Rep: Reputation: 891Reputation: 891Reputation: 891Reputation: 891Reputation: 891Reputation: 891Reputation: 891
Quote:
Originally Posted by davjohn View Post
Well the point of encrypting /boot is that someone can replace kernel/lilo with compromised one, which can include keylogger or whatever and when you unlock partition it can get your password.
The same can actually be done with boot loader, Secure boot can help here, but secure boot can be disabled in BIOS without much trouble, so I don't know solution for this yet
Maybe some kind of checksum of boot/efi, but this is checked too late, but at least you know that something was changed.
It is much easier to do a man in the middle attack over the network and compromise the web browser. Then you you will have access to anything in the user's home directory. Assuming mandatory access controls are not in place. There are many other MUCH easier ways to get at data, rather than to steal their laptop from work/home, create a compromised ramdisk/kernel, to include a key logger, or any other malware.

EDIT:

Chances are more likely that such an attacker with access with your machine is going to:

1. Erase your disk and install something new
2. Take the hard disk out and put in a new one
3 Sell it at a pawn shop

Nobody is going to go through all the trouble to beat encryption unless you are dealing with a government state. Then you have bigger problems,

Last edited by mralk3; 03-14-2021 at 04:20 PM.
 
Old 03-14-2021, 05:07 PM   #14
Tonus
Member
 
Registered: Jan 2007
Location: Paris, France
Distribution: Slackware-current
Posts: 922
Blog Entries: 3

Rep: Reputation: 250Reputation: 250Reputation: 250
Quote:
Originally Posted by mralk3 View Post
Nobody is going to go through all the trouble to beat encryption unless you are dealing with a government state. Then you have bigger problems,
Sure. But you won't know till you have.

I am sure you miss some widely spread corner cases : industrial spy, ex-wife/husband, new wife/husband 's ex, misbehaving teens and so one.

This is all about, with "reasonnable" workload, how to make breaking in hard enough to have vilains give up. As for your home ;-)
 
2 members found this post helpful.
Old 03-15-2021, 07:49 AM   #15
jr_bob_dobbs
Member
 
Registered: Mar 2009
Distribution: Slackware,Linux From Scratch
Posts: 544
Blog Entries: 93

Rep: Reputation: 151Reputation: 151
Quote:
Originally Posted by slac View Post
Did you not want to say "Before that it was luks over lvm" instead? Otherwise you said the same twice, I think.
Yeah. D'oh! I'm a dope. I meant LVM over LUKS. I'd been using LVM and then (a year ago, because of a new drive) LVM2.

I'm not sure the differences but since I needed to use thin provisioning within the LVM, I thought it best to jump to LVM2.

Last edited by jr_bob_dobbs; 03-15-2021 at 07:50 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Volume Encryption or Full Disk Encryption with Veracrypt? lisamint Linux - Security 4 11-07-2019 08:43 AM
How to have luks encryption with keyfile OR passphrase (efi full disk encryption including boot)? byroncollege Linux - Security 2 03-30-2017 07:45 AM
Mint 18 Full disk encryption VS Veracrypt Full Disk encryption: Help a Noob Decide Please ! APeacefulRig Linux - Security 2 11-11-2016 08:10 AM
Questions on jdb2 and fsck with full disk encryption IoannisM Linux - Newbie 2 05-17-2016 04:34 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 01:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration